Cryptocurrency companies are being targeted by a new campaign involving a remote access trojan (RAT) called Parallax RAT. The malware uses injection techniques to hide within legitimate processes, making it difficult to detect.
Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel. The RAT can record keystrokes and screen captures and even remotely reboot or shut down the compromised machine.
According to Uptycs’ analysis of the Telegram chat, the threat actor behind the campaign has an interest in crypto companies such as investment firms, exchanges, and wallet service providers.
The modus operandi involves searching public sources like DNSdumpster for identifying mail servers belonging to the targeted companies via their mail exchanger (MX) records and sending phishing emails bearing the Parallax RAT malware.
The Telegram platform, where the threat actor organizes its operations and distributes malware, is becoming a hub for criminal activities due to the platform’s lax moderation efforts.
The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe. The use of Notepad as a communication channel to instruct victims to connect to an actor-controlled Telegram channel is a notable aspect of the attacks.
This development shows that cryptocurrency companies continue to be a target for cybercriminals, and it is important for them to implement strong security measures to prevent attacks.
